lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20111107200008.GW12447@tux1.beaverton.ibm.com>
Date:	Mon, 7 Nov 2011 12:00:08 -0800
From:	"Darrick J. Wong" <djwong@...ibm.com>
To:	Andreas Dilger <adilger.kernel@...ger.ca>
Cc:	Theodore Tso <tytso@....edu>,
	Sunil Mushran <sunil.mushran@...cle.com>,
	Martin K Petersen <martin.petersen@...cle.com>,
	Greg Freemyer <greg.freemyer@...il.com>,
	Amir Goldstein <amir73il@...il.com>,
	linux-kernel <linux-kernel@...r.kernel.org>,
	Andi Kleen <andi@...stfloor.org>,
	Mingming Cao <cmm@...ibm.com>,
	Joel Becker <jlbec@...lplan.org>,
	linux-fsdevel <linux-fsdevel@...r.kernel.org>,
	linux-ext4@...r.kernel.org, Coly Li <colyli@...il.com>
Subject: Re: [PATCH 15/28] ext4: Calculate and verify block bitmap checksum

On Thu, Oct 13, 2011 at 12:16:31AM -0700, Darrick J. Wong wrote:
> On Wed, Oct 12, 2011 at 06:00:40PM -0600, Andreas Dilger wrote:
> > On 2011-10-08, at 1:55 AM, Darrick J. Wong wrote:
> > > Compute and verify the checksum of the block bitmap; this checksum is
> > > stored in the block group descriptor.
> > > 
> > > @@ -353,11 +360,26 @@ ext4_read_block_bitmap(struct super_block *sb, ext4_group_t block_group)
> > > 	/*
> > > 	 * file system mounted not to panic on error,
> > > +	 * -EIO with corrupt bitmap
> > > 	 */
> > > +	ext4_lock_group(sb, block_group);
> > > +	if (!ext4_valid_block_bitmap(sb, desc, block_group, bh) ||
> > > +	    !ext4_block_bitmap_csum_verify(sb, block_group, desc, bh,
> > > +					   EXT4_BLOCKS_PER_GROUP(sb) / 8)) {
> > > +		ext4_unlock_group(sb, block_group);
> > > +		put_bh(bh);
> > > +		ext4_error(sb, "Corrupt block bitmap - block_group = %u, "
> > > +			   "block_bitmap = %llu", block_group, bitmap_blk);
> > > +		return NULL;
> > > +	}
> > > +	ext4_unlock_group(sb, block_group);
> > > +	set_buffer_verified(bh);
> > 
> > I've been thinking a while that we should add per-group error flags
> > for the block and inode bitmaps.  That way, if we detect errors with
> > either one, we can set the flag in the group descriptor and avoid
> > using it for any allocations in the future.  Otherwise, we try to
> > read the bitmap in repeatedly.
> 
> I think there's some code in ext4 somewhere that does that.  I also wonder if
> the possibility that we're seeing a transient corruption error is worth
> rechecking the block until it fails?  (I suspect not, but I decided to throw
> that out there anyway.)

There's a bit of code in ext4_init_block_bitmap that makes a block group
unwritable if the bg checksum fails to verify:

/* If checksum is bad mark all blocks used to prevent allocation
 * essentially implementing a per-group read-only flag. */
if (!ext4_group_desc_csum_verify(sbi, block_group, gdp)) {
	ext4_error(sb, "Checksum bad for group %u",
			block_group);
	ext4_free_blks_set(sb, gdp, 0);
	ext4_free_inodes_set(sb, gdp, 0);
	ext4_itable_unused_set(sb, gdp, 0);
	memset(bh->b_data, 0xff, sb->s_blocksize);
	ext4_block_bitmap_csum_set(sb, block_group, gdp, bh,
				   EXT4_BLOCKS_PER_GROUP(sb) /
				   8);
	return 0;
}

Do people think that doing this in the event of a block/inode bitmap checksum
failure is a good idea?

--D
> 
> > > @@ -803,6 +842,11 @@ static int ext4_mb_init_cache(struct page *page, char *incore)
> > > 	if (groups_per_page == 0)
> > > 		groups_per_page = 1;
> > > 
> > > +	csd = kzalloc(sizeof(struct ext4_csum_data) * groups_per_page,
> > > +		      GFP_NOFS);
> > > +	if (csd == NULL)
> > > +		goto out;
> > > +
> > > 	/* allocate buffer_heads to read bitmaps */
> > > 	if (groups_per_page > 1) {
> > > 		err = -ENOMEM;
> > > @@ -880,22 +924,25 @@ static int ext4_mb_init_cache(struct page *page, char *incore)
> > > 		 * get set with buffer lock held.
> > > 		 */
> > > 		set_bitmap_uptodate(bh[i]);
> > > -		bh[i]->b_end_io = end_buffer_read_sync;
> > > +		csd[i].cd_sb = sb;
> > > +		csd[i].cd_group = first_group + i;
> > > +		bh[i]->b_private = csd + i;
> > > +		bh[i]->b_end_io = ext4_end_buffer_read_sync;
> > 
> > It seems to be allocating this extra csd[] and calling the more complex
> > ext4_end_buffer_read_sync() callback regardless of whether the checksum
> > code is enabled or not.  Would it be better to only set the custom
> > callback if we need to verify the checksum?
> 
> Yep, we could go straight to end_buffer_read_sync in the no-csum case.
> 
> --D
> --
> To unsubscribe from this list: send the line "unsubscribe linux-ext4" in
> the body of a message to majordomo@...r.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html
> 

--
To unsubscribe from this list: send the line "unsubscribe linux-ext4" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ